This is an old revision of the document!
Чтобы включить IP accounting необходимо в режиме конфигурации интерфейса ввести команду: ip accounting output-packets
Чтобы вести точный учет траффика, программное обеспечение поддерживает две базы данных: active и checkpoint базы. После выполнения команды clear ip accounting (выполняется в EXEC режиме) данные из базы данных active переносятся в checkpoint и база данных active очищается. Для чего это сделано? Если бы вы сразу снимали статистику с активной DB, то за само время снятия статистики эта DB постоянно пополняется и часть информации просто теряется. Или даже может не соответсвовать действительности (?). Когда же вы сбрасываете active DB в checkpoint DB - активная база обнуляется полностью и вы снимаете статистику с checkpoint DB, которая есть “статическая”. А active DB сразу после сброса в checkpoint DB начинает пополняться. Т.е. вам надо зафиксировать данные в определенный момент времени. Это и решается с помощью checkpoint DB.
Итак, чтобы отобразить активную базу данных аккоутинга используйте команду show ip accounting (это команда EXEC режима). Чтобы отображать checkpointed базу данных, используйте команду show ip accounting checkpoint (это команда EXEC режима).Команда clear ip accounting (она также работает в EXEC режиме) очищает активную базу данных и создает checkpointed базу данных.
interface FastEthernet1/0 ip accounting output-packets interface FastEthernet1/1 ip accounting output-packets
# rsh router "clear ip acco" # rsh router "show ip acco check"
ip flow-export version 5 ip flow-export destination gate 4444 interface FastEthernet1/0 ip route-cache flow interface FastEthernet1/1 ip route-cache flow
[gate:~] # tcpdump -ni fxp0 "port 4444"
[gate:~] # pkg_add -r ehnt [gate:~] # /usr/local/etc/rc.d/ehntserv.sh.sample start [gate:~] # rehash [gate:~] # ehnt Using report interval of 60 minute(s) flow #1 received from router 172.16.1.X, IP protocol 1 input ifIndex: 2 source IP address: 194.87.0.50 source port: 0 source AS: <unknown>(0) output ifIndex: 0 dest IP address: 192.168.X.40 dest port: 0 dest AS: <unknown>(0) bytes in flow: 1K packets in flow: 20 ... [gate:~] # /usr/local/etc/rc.d/ehntserv.sh.sample stop
root@gate:~# cd /usr/src root@gate:/usr/src# wget http://downloads.sourceforge.net/project/ehnt/ehnt/0.4/ehnt-0.4.tgz?use_mirror=sunet root@gate:/usr/src# tar -xvzf ehnt-0.4.tgz root@gate:/usr/src# cd ehnt root@gate:/usr/src/ehnt# make root@gate:/usr/src/ehnt# ./ehntserv bind Unix error: No such file or directory
[gate:~] # pkg_add -r flow-tools [gate:~] # grep flow /etc/rc.conf flow_capture_enable=yes flow_capture_port=4444 [gate:~] # /usr/local/etc/rc.d/flow_capture start
root@gate:~# apt-get install flow-tools root@gate:~# cat /etc/flow-tools/flow-capture.conf -w /var/db/flows 0/0/4444 root@gate:~# mkdir -p /var/db/flows root@gate:~# /etc/init.d/flow-capture start
Для скорейшего преобразования временного файла в постоянный можно перезапустить сервис
[gate:~] # flow-cat /var/db/flows/ | flow-print или более подробно, включая дату начала и окончания потоков [gate:~] # flow-cat /var/db/flows/ | flow-print -f5 [gate:~] # flow-cat -t "5/2/2012 00:00:00" -T "5/2/2012 23:59:59" /var/db/flows/ | flow-print
(время считается местное)
gate# cat netams.conf ... unit host name router ip 172.16.1.X acct-policy ip www mail unit host name gate ip 192.168.X.1 acct-policy ip www mail unit user name student ip 192.168.X.40 parent CLIENTS email student@corpX.un acct-policy ip www mail unit net name LAN ip 192.168.X.0/24 acct-policy ip www mail ... service data-source 1 type netflow source 192.168.X.2 listen 0 4444 ... path /PATH/TO/APACHE/DOCUMENTROOT/netams ... url http://192.168.X.1/netams/ ...
monitor session 1 source interface f0/1 both monitor session 1 destination interface f0/2
[gate:~] # ifconfig eth1 up [gate:~] # tcpdump -ni eth1 -A -s 0 "port 80"
Периодически надо устанавливать новую версию из портов для поддержки новых правил
[gate:~] # pkg_add -r snort [gate:~] # cd /usr/local/etc/snort [gate:~] # cat /usr/local/etc/snort/snort.conf ... output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert ... [gate:local/etc/snort] # fetch http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz [gate:local/etc/snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/ [gate.corp3.un:local/etc/snort] # rcsdiff rules/web-iis.rules < # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) --- > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) [gate:~] # /usr/local/etc/rc.d/snort rcvar [gate:~] # cat /etc/rc.conf ... snort_enable=YES snort_interface=em1 [gate:~] # /usr/local/etc/rc.d/snort start Starting snort.
root@gate:~# apt-get install snort root@gate:~# cat /etc/snort/snort.debian.conf ... DEBIAN_SNORT_INTERFACE="eth1" DEBIAN_SNORT_HOME_NET="0.0.0.0/0" ... [gate:~] # cat /etc/snort/snort.conf ... output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert ...
# tail -f /var/log/snort/alert
# tail -f /var/log/messages
# tail -f /var/log/auth.log
http://val.bmstu.ru/root.exe
[gate:~] # pkg_add -r oinkmaster [gate:~] # rehash [gate:~] # cd /usr/local/etc/
root@gate:~# apt-get install oinkmaster root@gate:~# cd /etc/
gate# cat oinkmaster.conf ... url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz ... tmpdir = /var/tmp/ ... gate# oinkmaster -o /CHANGE/DIR/snort/rules/
[gate:~] # pkg_add -r snortsnarf
[gate:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh D=`date -v-1d '+%Y.%m.%d'` /usr/local/etc/rc.d/snort stop /bin/mv /var/log/snort/alert /var/log/snort/alert. /usr/local/etc/rc.d/snort start for i in /var/log/snort/alert.* do cat ${i} >> /var/log/snort/alert${D} rm ${i} done /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} rm /var/log/snort/alert${D} /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
[gate:~] # pkg_add -r snortsam [gate:~] # more /usr/local/share/doc/snortsam/README.conf [gate:~] # cd /usr/local/etc/snortsam/
root@gate:~# cd /usr/src root@gate:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz root@gate:/usr/src# tar -xvf snortsam-src-2.69.tar.gz root@gate:/usr/src# cd snortsam/ root@gate:/usr/src/snortsam# sh makesnortsam.sh root@gate:/usr/src/snortsam# cp snortsam /usr/sbin/ root@gate:/usr/src/snortsam# mkdir /etc/snortsam root@gate:/usr/src/snortsam# cd /etc/snortsam
В случае использования aaa new-model требуется пользователь c priv-lvl = 1
(nat подменяет обратный адрес)
gate# cat snortsam.acl
conf terminal no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
gate# cat snortsam.conf
daemon nothreads accept 127.0.0.1 defaultkey secret # ciscoacl 192.168.X.2 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl # ciscoacl 192.168.X.2 student/tacacs cisco /etc/snortsam/snortsam.acl logfile /var/log/snortsam.log
FreeBSD:
[gate:~] # /usr/local/etc/rc.d/snortsam rcvar [gate:~] # /usr/local/etc/rc.d/snortsam start
Ubuntu:
root@gate:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
gate# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
gate# cat snortsam.tftp copy tftp://192.168.X.1/ running-config gate# cat snortsam.conf ... # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp ... gate# cd /tftpboot/
FreeBSD:
[gate:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
Ubuntu:
root@gate:/tftpboot# snortsam /etc/snortsam/snortsam.conf
gate# cat snortsam.conf ... cisconullroute 192.168.X.2 student/tacacs cisco ...
[gate:~] # cd /usr/ports/security/snort [gate:ports/security/snort] # make config [gate:ports/security/snort] # cat /var/db/ports/snort/options ... WITH_SNORTSAM=true ... [gate:ports/security/snort] # make install clean [gate:ports/security/snort] # cd /usr/local/etc/snort/
http://www.snortsam.net/files/snort-plugin/readme.txt
root@gate:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf root@gate:~# cd /usr/src root@gate:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz root@gate:/usr/src# gunzip snortsam-2.8.6.diff.gz root@gate:/usr/src# wget http://dl.snort.org/downloads/116 root@gate:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA... snort-2.8.6.1.tar.gz root@gate:/usr/src# tar -xvf snort-2.8.6.tar.gz root@gate:/usr/src# cd snort-2.8.6 root@gate:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff root@gate:/usr/src/snort-2.8.6# sh autojunk.sh root@gate:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort root@gate:/usr/src/snort-2.8.6# make root@gate:/usr/src/snort-2.8.6# make install root@gate:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/ root@gate:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine root@gate:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor root@gate:~# cd /usr/local/snort/ root@gate:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz root@gate:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/ root@gate:/usr/local/snort# cd /usr/local/snort/etc
gate# cat snort.conf
... output alert_fwsam: 127.0.0.1:898/secret ...
gate# cat sid-block.map
1256: src, 2 min
!!! Раскомментировать правило !!! gate# grep 1256 web-iis.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) gate# grep web-application-attack classification.config config classification: web-application-attack,Web Application Attack,1
root@gate:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1